Analysis
-
max time kernel
73s -
max time network
78s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-09-2021 12:04
Static task
static1
Behavioral task
behavioral1
Sample
ORDER WORKBOOK.exe
Resource
win7-en-20210916
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ORDER WORKBOOK.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
ORDER WORKBOOK.exe
-
Size
1.3MB
-
MD5
38c3c643e80618c83b80b990ae16abe2
-
SHA1
ee93f02563f008c2715c26b4f8478410e09babcd
-
SHA256
ff2f7cc30d0eca889fbe37a6ea28172ac1dc0b2ea3563a622cc7de25a96e07f6
-
SHA512
26328038bbbb4523fd0dbfa8338a1bb09833a5c70de4240aa29944f4d103d358afe673246b924bb69a1f4134b0e945cf03b40685970e863a7f29d5ed02c24111
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://136.144.41.34/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ORDER WORKBOOK.exedescription pid process target process PID 992 set thread context of 988 992 ORDER WORKBOOK.exe ORDER WORKBOOK.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ORDER WORKBOOK.exedescription pid process target process PID 992 wrote to memory of 988 992 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 992 wrote to memory of 988 992 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 992 wrote to memory of 988 992 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 992 wrote to memory of 988 992 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 992 wrote to memory of 988 992 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 992 wrote to memory of 988 992 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 992 wrote to memory of 988 992 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 992 wrote to memory of 988 992 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 992 wrote to memory of 988 992 ORDER WORKBOOK.exe ORDER WORKBOOK.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/988-116-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/988-117-0x000000000041A1F8-mapping.dmp
-
memory/988-118-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/992-114-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/992-115-0x0000000002541000-0x0000000002542000-memory.dmpFilesize
4KB